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DETAILED ACTION 

Response to Arguments 

1. Applicant's arguments filed on February 25, 2004 have been fully considered but 
they are not persuasive. 

In light of the Board of Patent Appeals decision to affirm the examiner, the 
examiner has maintained the previous rejection of claims 1-26 under 35 USC 103 in 
light of Shwed, U.S. Patent 5,606,668. It is argued that the teachings of Shwed fail to 
disclose "wherein a security policy comprises multiple rules" and additionally fails to 
disclose "a domain comprises at least one security policy and a security policy 
comprises multiple rules, and that a plurality of administrators are associated with the 
plurality of domains." The examiner contends that these limitations are still disclosed by 
Shwed, please refer to the rejection below. 

The examiner has additional applied the teachings of Shwed et al, U.S. Patent 
5,835,726, please refer to the rejection as is recited below. 

Information Disclosure Statement 

1 . The information disclosure statement (IDS) submitted on February 25, 2004 is in 
compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure 
statement is being considered by the examiner. 
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Claim Rejections - 35 USC §112 

2. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

3. Claims 3-5 are rejected under 35 U.S.C. 112, second paragraph, as being 
indefinite for failing to particularly point out and distinctly claim the subject matter which 
applicant regards as the invention. 

4. Claim 3 and 4 recites the limitation "the set" in line 2. There is insufficient 
antecedent basis for this limitation in the claim. 



Claim Rejections - 35 USC § 102 

5. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described In (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

6. Claims 1-26 are rejected under 35 U.S.C. 102(e) as being anticipated by Shwed 
et al, U.S. Patent 5,835,726. 

As per claims 1,8,12,17, and 22, it is taught by Shwed et al of a method and 
computer system for validating packets in a computer network by means of a firewall 
(col. 2, lines 26-29,41-44, col. 3, lines 42-45, and col. 14, lines 62-65). It is inherent that 
a processor is contained within the teachings of Shwed et al since processors are 
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important for being the control unit of a computer for fetching and executing instructions 
to perform specific tasks. A client initiates a request for a session with a host (col. 20, 
line 65 through col. 21, line 2). A session key is agreed upon (by deriving it) in regards 
to the packets/data items (col. 15, lines 28-30). A rule base (containing a security 
policy) is maintained (by pre-selecting) as to handling inbound and outbound 
communications packets that includes function of a session key (col. 14, line 59 through 
col. 15, line 2). The security policy is comprised of multiple security rules that dictate if 
the packet is to be accepted (validated) or denied based on the filtering language 
instructions (col. 2, lines 45-50, col. 4, lines 1-6, and col. 6, lines 35-38). It is interpreted 
by the examiner that there exists multiple, independent, security polices since it is 
disclosed by Shwed et al that there exists different departments and individuals with 
varying titles at an organization (col. 6, line 62 through col. 7, line 11). 

As per claim 2, Shwed et al discloses of a session key associated with header 
information associated (appended) with the packet (col. 17, lines 60-64). 

As per claim 3, it is taught by Shwed et al of the session key is included with the 
source and destination addresses (col. 17, lines 44-52). 

As per claim 4, it is disclosed by Shwed et al of the session key is included with 
the source and destination IP addresses (col. 17, lines 44-52). 

As per claim 5, Shwed et al discloses of the use of transmission control protocol 
(TCP) for the type (next level) of protocol (col. 18, lines 1-3). 

As per claims 6,18,19,23, and 24, it is recited in the teachings of Shwed et al of a 
plurality of network interfaces located in each computer on the network (col. 9, lines 6- 
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8). The source IP address indicates wliere a request was sent from, i.e. the sending 
network interface (col. 20, lines 2-4). 

As per claims 7,20,21,25, and 26, it is taught by Shwed et al of a plurality of 
network interfaces located in each computer on the network (col. 9, lines 6-8). The 
destination (where the request is to be sent) IP address indicates where a request is 
sent to, i.e. the destination network interface (col. 22, lines 50-52). 

As per claims 9,10,13, and 14, Shwed et al discloses of a security policy 
comprises of multiple security rules that dictate if the packet is to be accepted 
(validated) or denied based on the filtering language instructions as is based on a 
firewall (col. 2, lines 45-50, col. 4, lines 1-6, col. 6, lines 35-38, and col. 14, lines 62-65). 
It is based on different groups and subgroups within a given group (col. 6, line 62 
through col. 7, line 1 1 and as shown in Figure 3-2). 

As per claims 1 1 and 15, it is taught by Shwed et al of an administrator for a 
given group has the ability to modify the rules of a security policy for a group (col. 3. 
lines 39-54, col. 6, line 62 through col. 7, line 11, col. 7, lines 61-65, and as shown in 
Figure 3-2). 

As per claim 16, Shwed et al discloses of a method and computer system for 
validating packets in a computer hetv/ofk by means of a firewall (col. 2, lines 26-29,41- 
44, and col. 14, lines 62-65). A session key is agreed upon (by deriving it) in regards to 
the packets (col. 15, lines 28-30). A rule base (containing a security policy) is 
maintained as to handling inbound and outbound communications packets that includes 
function of a session key (col. 14, line 59 through col. 15, line 2). The security policy is 
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comprised of multiple security rules that dictate if the packet is to be accepted 
(validated) or denied based on the filtering language instructions (col. 2, lines 45-50, col. 
4, lines 1-6, and col. 6, lines 35-38). It is shown in Figure 3-2 of a plurality of domains 
that have multiple security policies applied to (col. 6, lines 35-38). An administrator for a 
given group has the ability to modify the rules of a security policy for a group (col. 3, 
lines 39-54, col. 6, line 62 through col. 7, line 11, col. 7, lines 61-65, and as shown in 
Figure 3-2). It is interpreted by the examiner that there exists multiple administrators for 
a plurality of domains since it is disclosed by Shwed et al that there can exist a number 
of network configurations can be virtually limitless, namely configuring a plurality of 
domains with a plurality of administrators (col. 5, lines 39-54). 



Claim Rejections - 35 USC § 103 

7. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

8. Claims 1-26 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Shwed, U.S. Patent 5,606,668. 

As per claims 1-7,17-21 , and 22-26, Shwed describes a security system for a 
computer network that implements packet filtering (col. 3, lines 59-65). Shwed teaches 
that his system applies a particular security rule to an incoming packet (col. 7, lines 14- 
24) based on data extracted from the incoming packet (col. 8 lines 39-49 and Fig 8). 
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The security policy is comprised of multiple security rules that dictate if the packet is to 
be accepted (validated) or denied based on the filtering language instructions (col. 2, 
lines 1-4,45-54 and col. 4, lines 23-26). 

As per claim 1, Shwed does not explicitly teach that his system derives a session 
key for the incoming packet. However, processing the extracted packet data in the 
Shwed invention (col. 8, line 39 to col. 9, line 63) would have been recognized by one of 
ordinary skill in the art, at the time the invention was made, as an obvious equivalent to 
deriving a session key for the incoming packet, because a session key indicates which 
security rule to use for a particular packet. Shwed further teaches that a specific TCP 
destination port may be among the data extracted from the incoming packet (col. 9, line 
64 to col. 10, line 14). Shwed further teaches that his system is implemented using 
gateways having multiple network interfaces (Fig 2), where the gateway is connected 
through a router to the Internet. 

As per claims 2,3,4,5,19,21,24, and 26, Shwed does not explicitly teach that his 
invention processes all types of Internet protocol packets, such as UDP packets, or all 
useful packet data, such as IP addresses. However, the Internet was well-known to 
those of ordinary skill in the art, at the time the invention was made, to utilize layered 
communication protocols, including UDP In addition to TCP, and it was also well-known 
to those skilled in the art that methods used to extract data from the headers of TCP 
packets could be utilized to extract data from UDP packets as well, and that these 
methods could have been utilized to extract many types of packet header information, 
including source address, destination address, next-level protocol, source port, and 
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destination port data. It would have been obvious to one skilled in the art, at the time the 
invention was made, to program the Shwed invention to process all types of Internet 
protocol packets and to extract all useful packet header data to assist in security rule 
decision making, because this would have been easy to accomplish within the Shwed 
system and would enable the Shwed system to meet a wide range of user security 
requirements. 

As per claims 6,7,18,20,23, and 25, Shwed teaches that his system is 
implemented using gateways having multiple network interfaces (Fig 2), where the 
gateway is connected through a router to the Internet. Gateways were well-known to 
those of ordinary skill in the art, at the time the invention was made, to allow packets to 
be routed to different network interfaces based on well-known routing algorithms, and 
that these routing algorithms could be simply and favorably utilized in conjunction with 
network security algorithms like those taught by Shwed (col. 8 lines 39-49 and Fig 8). 

As per claims 8-11,12-15, and 16, Shwed describes a security system for a 
computer network that implements packet filtering (col. 3, lines 59-65). Shwed teaches 
that his system applies a particular security rule to an incoming packet (col. 7, lines 14- 
24) based on data extracted from the incoming packet (col. 8, lines 39-49, and Fig 8). 
The security policy is colriprised of multiple^ecurTty rules lhat dictate if the packet is to 
be accepted (validated) or denied based on the filtering language instructions (col. 2, 
lines 1-4,45-54 and col. 4, lines 23-26). It is shown in Figure 3-2 of a plurality of 
domains that have multiple security policies applied to (col. 4, lines 23-26). An 
administrator for a given group has the ability to modify the rules of a security policy for 
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a group (col. 4, lines 39-42,60-65, col. 5, lines 51-56, and as shown in Figure 3-2). It is 
interpreted by the examiner that there exists multiple administrators for a plurality of 
domains since it is disclosed by Shwed et al that there can exist a number of network 
configurations can be virtually limitless, namely configuring a plurality of domains with a 
plurality of administrators (col. 3, lines 27-43). 

As per claims 8,9,10,12,13, and 14, Shwed does not explicitly teach the use of 
multiple independent security policies, administered by separate administrators and 
applied to different groups. However, Shwed further teaches (col. 4, lines 27-67) that a 
system administrator may create security rules, and may designate that network objects 
be separated into sub-groups or domains, where sub-groups may utilize different sets of 
security rules (column 4, lines 23-26 and lines 50-57) which would implement multiple 
sets of security policies. (Shwed uses as an example a communication group composed 
of a company's CEO, CFO, directors; security rules could be set up in the Shwed 
system to allow direct communication by this group, but not others, to a finance group 
(col. 4, lines 59-63)). It would have been obvious to one of ordinary skill in the art, at the 
time the invention was made, to allow the creation of specific security rules for a 
particular sub-group of network objects, because this could be accomplished with little 
modification to the Shwed system, and because the creation of independent security 
policies by the creation of multiple sets of rules would give users of the Shwed system 
the benefits of hierarchies of security. 

As per claims 11,15, and 16, although Shwed does not explicitly teach that only 
the administrator of a domain is allowed to modify the security policy rules for that 
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domain, it would have been obvious to one of ordinary skill in the art, at the time, the 
invention was made, to restrict the creation of security rules for a particular sub-group of 
network objects to a particular system administrator, because this could be 
accomplished with little, if any, modification to the Shwed system, and because the 
creation of rules by a specialist in a particular domain would give the benefits of 
increased security and confidence in the Shwed system. 



Conclusion 

9. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

Coss et al, U.S. Patent 6,170,012 is a related disclosure by the applicant. 
Coss et al, U.S. Patent 6,154,775 is a related disclosure by the applicant. 
Coss et al, U.S. Patent 6,098,172 is a related disclosure by the applicant. 
Hughes et al, U.S. Patent 5,842,040 discloses of policy caching to handle related 
protocol data units. 

1 0. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Christopher A. Revak whose telephone number is 703- 
305-1843. The examiner can normally be reached on Monday-Friday, 6:30am-4:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner*s 
supervisor, Ayaz Sheikh can be reached on 703-305-9648. The fax phone number for 
the organization where this application or proceeding is assigned is 703-872-9306. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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AU2131 
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